spexta trojan installs to protected folder

[shawn modersohn]

Running XP SP2,

I have just seen a curious virus identified by Symantec Corporate 10.1.
The virus is called trojan.spexta and is a mass mailing worm. The
computer is locked down. Users are only given limited accounts. I am
the only user who logs in as Admin and I assure you I am careful in this
account. The issue I am having and according to the logs, is that this
particular virus somehow manages to write directly to c: and
c:\windows\system32 with a file called eventmgr.exe. I have seen this
process eat 100% of the system resources. I think that it might be
getting in through a users web mail of choice. This system is fully
patched so how is this possible? As far as I can fathom, this virus
must be using some exploit that overrides folder security.

 

[David H. Lipman]

From: "shawn modersohn" <[email protected]>

| Running XP SP2,
|
| I have just seen a curious virus identified by Symantec Corporate 10.1.
| The virus is called trojan.spexta and is a mass mailing worm. The
| computer is locked down. Users are only given limited accounts. I am
| the only user who logs in as Admin and I assure you I am careful in this
| account. The issue I am having and according to the logs, is that this
| particular virus somehow manages to write directly to c: and
| c:\windows\system32 with a file called eventmgr.exe. I have seen this
| process eat 100% of the system resources. I think that it might be
| getting in through a users web mail of choice. This system is fully
| patched so how is this possible? As far as I can fathom, this virus
| must be using some exploit that overrides folder security.

It is a spam Trojan and NOT a virus. It does NOT self replicate.
http://www.symantec.com/security_response/writeup.jsp?docid=2005-071013-3940-99&tabid=2

There are also anti virus News Groups for this kind of subject matter. In the Microsoft.*
hierarchy there is; news://msnews.microsoft.com/microsoft.public.security.virus

What most people fail to realize is that vulnerabilities may be exploited and there are so
amny of them. Many vulnerabilities exist in buffer overflow conditions where result is an
elevation of priveledges. It is this "elevation of priveledges" that people miss. That
means even on a limited account if an exploitation is successfully accomplished the
exploitation will be able to take advantage of the OS and install any kind of malware at its
pleasure.

Since this is a Trojan, not a virus, it requires assistance to get installed and
explotations are often used. It could be a simple Social Engineering methos or a complex
PHP or HTML web page. There are many software that can be exploted to install this spam
Trojan. Vulnerabilities in; Sun Java, IE, Apple Quicktime, Adobe/Macromedia Flash, etc.

What is *most* important is this is a spamming tool and the PC in question MUST be taken off
the Internet prior to it being cleaned.

 

[shawn modersohn]

From: "shawn modersohn" <[email protected]>

| Running XP SP2,
|
| I have just seen a curious virus identified by Symantec Corporate 10.1.
| The virus is called trojan.spexta and is a mass mailing worm. The
| computer is locked down. Users are only given limited accounts. I am
| the only user who logs in as Admin and I assure you I am careful in this
| account. The issue I am having and according to the logs, is that this
| particular virus somehow manages to write directly to c: and
| c:\windows\system32 with a file called eventmgr.exe. I have seen this
| process eat 100% of the system resources. I think that it might be
| getting in through a users web mail of choice. This system is fully
| patched so how is this possible? As far as I can fathom, this virus
| must be using some exploit that overrides folder security.

It is a spam Trojan and NOT a virus. It does NOT self replicate.
http://www.symantec.com/security_response/writeup.jsp?docid=2005-071013-3940-99&tabid=2

There are also anti virus News Groups for this kind of subject matter. In the Microsoft.*
hierarchy there is; news://msnews.microsoft.com/microsoft.public.security.virus

What most people fail to realize is that vulnerabilities may be exploited and there are so
amny of them. Many vulnerabilities exist in buffer overflow conditions where result is an
elevation of priveledges. It is this "elevation of priveledges" that people miss. That
means even on a limited account if an exploitation is successfully accomplished the
exploitation will be able to take advantage of the OS and install any kind of malware at its
pleasure.

Since this is a Trojan, not a virus, it requires assistance to get installed and
explotations are often used. It could be a simple Social Engineering methos or a complex
PHP or HTML web page. There are many software that can be exploted to install this spam
Trojan. Vulnerabilities in; Sun Java, IE, Apple Quicktime, Adobe/Macromedia Flash, etc.

What is *most* important is this is a spamming tool and the PC in question MUST be taken off
the Internet prior to it being cleaned.

Thanks for your input and echoing my suspicions. Also a good point that
the exploit might not be solely Window's fault. As you mentioned in
your examples, this exploit could be manipulated through any number of
software packages. Adobe Reader, Flash, Quick Time, etc. At least on
the desktop level, I still maintain that it is the operating system's
responsibility to protect system files and folders from writing despite
any flaw in any said software. Doesn't this mean there is a patch that
windowsupdate.com owes us?

 

[David H. Lipman]

From: "shawn modersohn" <[email protected]>


| Thanks for your input and echoing my suspicions. Also a good point that
| the exploit might not be solely Window's fault. As you mentioned in
| your examples, this exploit could be manipulated through any number of
| software packages. Adobe Reader, Flash, Quick Time, etc. At least on
| the desktop level, I still maintain that it is the operating system's
| responsibility to protect system files and folders from writing despite
| any flaw in any said software. Doesn't this mean there is a patch that
| windowsupdate.com owes us?

Whast was the point of exploitation ?

Use the Secunia Software Inspector to find any/all known vulnerabilities.
http://secunia.com/software_inspector

Then you can mitigate the threats.

 

[Guest]

:

I still maintain that it is the operating system's
responsibility to protect system files and folders from writing despite
any flaw in any said software.

Should it do so even when the user has TOLD it to go ahead and install the
software, though? That is the question.

It's very easy to craft an Internet Explorer window that looks like a
message from Adobe or Real to the effect that your player needs updating...
only it does nothing of the sort, but installs a Trojan instead. I think it's
reasonable to assume that Vista's user-elevation mechanism offers no
protection in such cases either, because the user will be _expecting_ to see
an admin-access prompt, and will respond Yes.

IMHO it would be better if these products didn't pop automatic-update
prompts; if they instead simply stated that they need updating to show this
particular content, that would be much more secure.

It's also true that a lot of websites create unnecessary problems by
including Flash/Real/Acrobat code that triggers an auto-update prompt even
when the user's player is adequate for the content, so users are constantly
pestered by update-requests for no good reason, and the habit of hitting
Yes...Yes... Yes... -without looking or thinking- gets ingrained as a result.
Again it would be much better from a security point of view if this practice
was avoided.